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Abstract. When their reading heads are allowed to move completely asynchro- 
nously, finite-state automata with multiple tapes achieve a significant expressive 
power, but also lose useful closure properties — closure under intersection, in par- 
ticular. This paper investigates to what extent it is still feasible to use multi-tape 
automata as recognizer of polyadic predicates on words. On the negative side, 
determining whether the intersection of asynchronous multi-tape automata is ex- 
pressible is not even semidecidable. On the positive side, we present an algorithm 
that computes under-approximations of the intersection; and discuss conditions 
under which it can construct complete intersections. A prototype implementation 
and a few non-trivial examples demonstrate the algorithm in practice. 

1 Multi-Tape Automata As Decision Procedures 

Software verification needs expressive logics and powerful decision procedures. Since 
these requirements are contrasting — with great expressive power comes great undecid- 
ability — the chief research challenge is finding new combinations of formalisms that 
achieve an advantageous trade-off between expressiveness and complexity. In this pa- 
per, we investigate using multi-tape finite automata to build decision procedures for 
fragments of first-order theories with interpreted functions that are germane to program 
verification. 

Standard finite-state automata are simple computing devices widely used in com- 
puter science. They define a robust class of language acceptors, as each automaton 
instance A identifies a set C(A) of words that it accepts as input. The connection be- 
tween finite-state automata and predicate logic has been well-known since the work 
of Biichi [3 4] and others H26I6I . and is widely used in applications such as model- 
checking: each automaton Ap can be seen as implementing a monadic (that is, unary) 
predicate P(x), in the sense that the set C(Ap) of words accepted by the automaton 
corresponds to the set {x \ x \= P(x)} of models of the predicate. Logic connectives 
(negation -■, conjunction A, etc.) translate into composition operations on automata 
(complement, intersection n, etc.), so that finite-state automata can capture the seman- 
tics of arbitrary first-order monadic formulas whose interpreted atomic predicates are 
implementable. This gives a very efficient way to decide the satisfiability of monadic 
logic formulas representable by finite-state automata: unsatisfiability of a formula cor- 
responds to emptiness of its automaton, which is testable efficiently in linear time. 

It is natural to extend this framework to represent n-ary predicates, for n > 1, by 
means of multi-tape finite-state automata. An n-tape automaton Ap is a device that ac- 
cepts n-tuples of words, corresponding to the set of models of a predicate R(xi ,...,!„) 



over n variables. Section [2] defines multi-tape automata and summarizes some of their 
fundamental properties. It turns out that the class of multi-tape automata (in their most 
expressive asynchronous variant) is not as robust as one-tape automata. In particular, 
multi-tape automata^] are not closed under intersection iflOl . and hence the conjunction 
of ro-ary predicates is not implementable in general. 

This paper investigates to what extent this hurdle can be bypassed in practice. On 
the negative side, we prove that determining whether the intersection of two multi-tape 
automata A, B is expressible as an automaton is neither decidable nor semi-decidable. 
On the positive side, we provide an algorithm 3(A, B, d) that computes an under- 
approximation of the intersection A n B of A and B, bounded by a given maximum 
delay d between heads on different tapes. The algorithm has the property that, if the 
intersection is expressible, then there exists a finite delay d such that 3(A, B, d) returns 
the complete intersection. We also detail simple sufficient syntactic conditions on A 
and B for the algorithm to return complete intersections. Based on these, we imple- 
mented the algorithm and tried it on a number of examples inspired by the verification 
conditions of programs operating on sequences. While the examples are preliminary, 
they suggest that the framework based on multi-tape automata can supply new ways 
to reason automatically about expressive theories, as automata make for succinct im- 
plementations of atomic predicates. For lack of space, details of proofs and results are 
available in the Appendix. 

2 Preliminaries 

Z is the set of integer numbers, and IN is the set of natural numbers 0, 1, For a 

(finite) set S, p(S) denotes its powerset. For a finite nonempty alphabet 27, 27* denotes 
the set of all finite sequences oi • • ■ a n , with n > 0, of symbols from 27 called words 
over 27; when n — 0, e e 27* is the empty word. \s\ £ IN denotes the length n of a word 
s = <i\ ... a n . An n-word is an n-tuple (si, . . . , s n ) E (27*)™ of words over 27. 

Given a sequence s = X\ ■ ■ ■ x n of objects, a permutation ir : {1, . . . , n} —> 
{1, . . . ,n) is a bijection that rearranges s into tt(s) = tti • • • TT n with 7T; = x^u\ for 
i = 1, . . . , n. An inversion of a permutation ir of s is a pair (i,j) of indices such that 
i < j and 7r(i) > tr(j). For example, the permutation that turns a^^a^aQajb^ into 
b^bza^aQaj has 6 inversions. 

2.1 Multi-Tape Finite Automata 

A finite-state automaton with n > 1 tapes scans n read-only input tapes, each with an 
independent head. At every step, the current state determines the tape to be read, and 
the transition function defines the possible next states based on the current state and the 
symbols under the reading head. A special symbol $ marks the right end of each input 
tape; 27$ denotes the extended alphabet 27 U {$}. 

1 We do not consider more powerful classes of multi-tape automata, such as pushdown automata, 
as they typically possess even fewer closure or decidability properties |16] unless they are 
significantly restricted to specific classes of languages (7). 
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Definition 1 (n-tape automaton). An n-tape finite-state automaton A is a tuple (£, T, 
Q, t, S, Qo, F) where: £ is the input alphabet, with $ ^ E; T — {t%, . . . , t n } is the 
set of tapes; Q is the finite set of states; t : Q — > T assigns a tape to each state; 
S : Q x E$ — > p(Q) is the (nondeterministic) transition function; Qo C Q are the 
initial states; F C Q are the accepting (final) states. 

We write A{t\, . . . ,t n ) when we want to emphasize that A operates on the n tapes 
ti, . . . , t n ; A(t' l: . . . , t' n ) denotes an instance of A with each tape tj renamed to t^. 
Without loss of generality, assume that the accepting states have no outgoing edges: 
S(qp,a) is undefined for all qp € F. Also, whenever convenient we represent the 
transition function 5 as a relation, that is the set of triples (q,a,q') such that q' £ 5(q,a). 

A configuration of an n-tape automaton A is an (n + l)-tuple (q, yi, . . . , y n ) £ 
Q x (i7|) n , where q £ Q is the current state and, for 1 < k < n, yu is the input 
on the £>th tape still to be read. A run p of A on input x — (xx, . . . , x n ) £ (E*) n 
is a sequence of configurations p = po ■ ■ ■ p m such that: (1) po = (qo, x\ $,..., x n $) 
for some initial state q £ Q ; and (2) for < k < m, if pu = {q,yi, ■ ■ ■ , y n ) is 
the fc-th configuration — with th = T(q) the tape read in state q, and yh — cry' h with 
a £ E$ and y' h £ Si on the h-th tape — then p fc+1 = (q' , y' lt . . . , y' n ) with q' £ S(q, a) 
and y[ L — yi for all i ^ h. A run p is accepting if p m — (qp,yi, . . . , y n ) for some 
accepting state qp £ Qp. A accepts an n-word x if there exists an accepting run of 
A on x. The language accepted (or recognized) by A is the set C(A) of all n-words 
that A accepts. The n-automatic languages are the class of languages accepted by some 
n-tape automaton. Whenever n is clear from the context, we will simply write "words" 
and "automata" to mean "n-words" and "n-tape automata". 

Definition 2. An n-tape automaton A is: deterministic if\Qo\ < 1 and \S(q, a)\ < 1 
for all q, a; synchronous for s € IN if every run of A is such that any two heads that 
have not scanned their whole input are no more than s positions apart; asynchronous 
if it is not synchronous for any s. 

Example 3. Figure [T] shows a deterministic automaton A = with two tapes X, Y that 
recognizes pairs of equal words over {a, b}. Each state is labeled with the tape read and 
with a number for identification (the final state's tape label is immaterial, and hence 
omitted). A = reads one letter on tape Y immediately after reading one letter on tape 
X, hence it is synchronous for s = 1. Automaton A in Figure |2]recognizes triples of 
words such that the word on tape Z equals the concatenation of the words on tapes X 
and Y (ignoring the end-markers). It is asynchronous because the length of X is not 
bounded: when the reading on tape Y starts, the head on Z is at a distance equal to the 
length of the input on X. 



2.2 Closure Properties and Decidability 

Automata define languages, which are sets of words; correspondingly, we are interested 
in the closure properties of automata with respect to set-theoretic operations on then- 
languages. Specifically, we consider closure under complement, intersection, and union; 
and the emptiness problem: given an automaton A, decide whether C(A) = 0, that is 
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Fig. 1. 2-tape deterministic synchronous automaton A=. 




Fig. 2. 2-tape deterministic asynchronous automaton A a - 

whether it accepts some word. The complement of a language L over n-words over E 
is with respect to the set (S*) n ; the intersection L\ n L 2 is also applicable when Li is a 
language over n-words and L 2 a language over m-words, with m > n: define L\C\L 2 as 
the set of m-tuples (x\, . . . , x m ) such that (xi, . . . , x n ) £ L% and (sci, . . . , x m ) £ L 2 ; 
a similar definition works for unions. We lift set-theoretic operations from languages 
to automata; for example, the intersection A 3 — Ai A 2 of two automata Ai,A 2 
is an automaton A 3 such that C(A 3 ) = C(Ai) n £(A 2 ); we assume that intersected 
automata share the tapes with the same name (in the same order). The rest of this section 
summarizes the fundamental closure properties of multi-tape automata; see ifTUl for a 
more detailed presentation and references. 

Synchronous automata 1181191 define a very robust class of languages: they have 
the same expressiveness whether deterministic or nondeterministic; they are closed un- 
der complement, intersection, and union; and emptiness is decidable. In fact, compu- 
tations of synchronous n-tape automata can be regarded as computations of standard 
single-tape automata over the n- track alphabet (U U {□})", where the fresh symbol □ 
pads some of the n input strings so that they all have the same length. Under this con- 
vention, the standard constructions for finite-state automata apply to synchronous au- 
tomata as well. Most applications of multi-tape automata to have targeted synchronous 
automata (see Section|6]l, which have, however, a limited expressive power. 

Asynchronous automata are strictly more expressive than synchronous ones, but 
are also less robust: 

- Nondeterministic asynchronous automata are strictly more expressive than deter- 
ministic ones. 

- Deterministic asynchronous automata are closed under complement, using the stan- 
dard construction that complements the accepting states. They are not closed under 
union, although the union of two deterministic asynchronous automata always is a 
nondeterministic automaton. They are not closed under intersection because, intu- 
itively, the parallel computations in the two intersected automata may require the 
heads on the shared tapes to diverge. 



4 



- Nondeterministic asynchronous automata are not closed under complement or in- 
tersection, but are closed under union using the standard construction that takes the 
union of the transition graphs. 

- Emptiness is decidable for asynchronous automata (deterministic and nondetermin- 
istic): it amounts to testing reachability of accepting states from initial states on the 
transition graph. 

3 Multi-Tape Automata: Negative Results 

Since multi-tape automata are not closed under intersection, we try to characterize the 
class of intersections that are expressible as automata. A logical characterization is 
arduous to get, because conjunction would be inexpressible in general. Indeed, we can 
prove some strong undecidability results. 

Automatic intersection is undecidable. The automatic intersection problem is the 
problem of determining whether the intersection language C(A) D C(B) of two au- 
tomata A and B is automatic, that is it is accepted by some multi-tape automaton. 

Theorem 4. The automatic intersection problem is not semidecidable. 

Proof. Following 114115 1. we consider valid computations of Turing machines. A single- 
tape Turing machine M has state set S, input alphabet /, transition relation 8 C Q x I x 
Q x I x {— 1, 0, 1}; and so, sf £ S respectively are the initial state and the accepting 
state (unique, without loss of generality). We can write M's configurations as strings 
over / U S of the form i\ ■ ■ ■ i^ s ik+i ■ ■■im where i\ ■ ■ ■ i m £ I* is the sequence of 
symbols on the tape, s is the current state, and the read/write head is over the sym- 
bol ik+i- The set ACC(M) of accepting computations contains all words of the form 
• • • #w m #, with # ^ IUS, such that each is a configuration of M, wi 
is an initial configuration (of the form SqI*), w m is an accepting configuration (of the 
form I*spl*), and Wk+i is a valid successor of Wk according to 6, for all 1 < k < to 
(that is, for Wk — i\ • • • i~ s i + ■ ■ ■ i n and (s, i + , s' , i' , h) € 5 then: if h = —1 then 
u>k+i =«!••• s'i~i' ■ ■ ■ i n ; if h = then Wk+i = i\ ■ ■ ■ i~ si' ■ ■ ■ i n ; if h = +1 then 
Wk+i — i\ ■ ■ ■ i~i's ■ ■ ■ i n )- The problem of determining, for a generic M, whether 
ACC(M) is regular is not semidecidable 1 14|. 

Consider now the language L M 2 defined as {{x,x) | x £ ACC(M)}. Since the 
single-component projection of an automatic language is always regular [24], if ijv/ 2 is 
automatic then ACC(M) is regular. We can express L^z as the intersection of two lan- 
guages L X M and L 2 M . L X M is the set of 2-words • • • #w m #, • • ■ #u m #) 
such that: u\ is an initial configuration of M; v m is an accepting configuration; for 
1 < k < to, Uk is a valid configuration and v^+i is a valid successor of Uk- L 2 M is 
simply the set of 2-words whose first and second component are equal. It is not diffi- 
cult to see that L\ { n L 2 M — Lj^2 and both L u and L\ [ are automatic. An automaton 
for L 2 M works synchronously by alternately reading and comparing one character from 
each tape, generalizing the automaton in Figure[T] An automaton for L\ [ starts with the 
second head moving forward to vi \ it then compares each uj. and Vk+i one character at 
a time, checking that they are consistent with M's S. 
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We can finally prove the theorem by contradiction: assume the automatic intersec- 
tion problem is semidecidable. Then, the following is a semi-decision procedure for 
the problem of determining whether ACC(M) is regular. Construct the automata for 
I} M and L 2 M . If L M n L 2 M = L M 2 is automatic, then the semi -decision procedure for 
automatic intersection halts with positive outcome; then we conclude that ACC(M) is 
regular; otherwise loop forever. Since regularity of ACC(M) is not semidecidable, we 
have a contradiction. □ 

Automatic nondeterministic complement is undecidable. Since nondeterministic 
automata are closed under union, and the intersection L\ H L-2 of any two languages is 
expressible as L\ U L2 using only union and complement, the undecidability Theorem^ 
carries over to the automatic complement problem (defined as obvious) — but only for 
nondeterministic automata since deterministic automata are closed under complement. 
Notice, in particular, that the complements of the languages L\ [ and L 2 M used in the 
proof of Theorem |4] are automatic, and their union is nondeterministic; therefore, for 
nondeterministic languages, deciding whether intersection is automatic is tantamount 
to deciding whether complement is automatic. 

Corollary 5. The automatic complement problem ( determining whether the comple- 
ment of an automatic nondeterministic language is automatic) is not semidecidable. 



4 Multi-Tape Automata: Positive Results 

The undecidability of whether an intersection is automatic does not prevent the defini- 



tion of approximate algorithms for intersection. Section 4.1 describes one such algo- 
rithm that bounds the maximum delay between corresponding heads of the intersecting 
automata. As we show in Sections [4.2f |9] the algorithm constructs approximations with 
some nice properties: they under-approximate the real intersection; when the real inter- 
section is automatic, there is some finite bound on delays for which the approximation 
is complete; and there are simple syntactic conditions under which a bound of zero de- 



lay still yields a complete intersection. Section 4.4 discusses to what extent some of 
these results can be extended to the approximation of complement for nondeterministic 
automata. 



4.1 An Algorithm for the Under- Approximation of Intersection 

This section outlines an algorithm 3(A, B, d) that inputs two multi-tape automata A 
and B and a delay bound d E IN U {00} and returns a multi-tape automaton C that 
approximates the intersection A n B to within delay d. The intersection construction 
extends the classic "cross-product" construction: simulate the parallel runs of the two 
composing automata by keeping track of what happens in each component. 

Informal overview. Let us introduce the algorithm's basics through examples. Con- 
sider the intersection of A— and A in Figures [T] and [2j the initial state is labeled 
(=i)°i) to denote that it combines states =1 (i.e., state 1 in A = ) and 01 (state 1 in 
A Q ). As the intersection develops, the composing automata synchronize on transitions 
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on shared tapes and proceed asynchronously on non-shared tapes. In the example, there 
is a synchronized transition from (=1, oi) to (=2, o 2 ) upon reading a on shared tape 
X, and an asynchronous transition from the latter state to (=2, °i) upon reading a on 
Ao's non-shared tape Z. A= in state —2 can also read a on shared tape Y; this is a valid 
move in the intersection even if A cannot read on tape Y until it reaches state o 4 . Since 
reading can proceed on other tapes, we just have to "delay" the transition that reads a 
on Y to a later point in the computation and store this delay using the states of the in- 
tersection automaton; A a will then be able to take other transitions and will consume 
the delayed ones asynchronously before taking any other transition on Y (that is, delays 
behave as a FIFO queue). For example, when the intersection reaches state (=4, o 4 ), 
Ao can read a on Y matching A—'s delayed transition (which is then consumed). Here 
is a picture showing these steps: 




Delays may become unbounded in some cases. In the example, automaton A— may 
accumulate arbitrary delays on tape Y while in states =1, =2, =3; this corresponds to 
the intersection automaton "remembering" an arbitrary word on tape Y to compare it 
against Z's content later. An unbounded delay is necessary in this case, as the com- 
putations on A- and A manage the heads on X and Y in irreconcilable ways: the 
intersection language of A— and A is not automatic. 

The algorithm. Consider two automata A = (S,Q a ,S a ,Q a ,F a ,T a ,t a ) and 
B = (S,Q B ,S B ,Q B ,F B ,T B ,t b ), such that A has m tapes T A = {t A ,...,t A } and 
B has n tapes T B — {tf , . . . , t B }. We present an algorithm J (A, B, d) that constructs 
an automaton C = (£, Q, S, Q , F, T, r)— with C's tapes T — T A U T B — such that 
C(C) C C(A) n C(B). We describe the algorithm as the combination of fundamental 
operations, introduced as separate routines. All components of the algorithm have ac- 
cess to the definitions of A and B, to the definition of C being built, and to a global 
stack s where new states of the composition are pushed (when created) and popped 
(when processed). The complete pseudo-code of the routines is in the Appendix. 

Routine asyncjiext (lines 1-17 in Figure[3]) takes a t-tape automaton D (i.e., A or 
B) and one of its states q, and returns a set of tuples (q' , hi, . . . , h t ) of all next states 
reachable from q by accumulating delayed transitions hi G (S D )* in tape tu for 1 < 
i < t. We call delayed states such tuples of states with delayed transitions. The search 
for states reachable from q stops at the first occurrences of states associated with a cer- 
tain tape. For example, asyncjiext (A , °i) consists of (o 1; e, e, e), (o 2 , (o 1; a, o 2 ), e, e), 
(°3, (oi,&,o 3 ),e,e), (04, (o l! $,o 4 ),e,e), (o 5 , (o!,$,o 4 ), (o 4 , a, o 5 ), e), (o 6 , (o 1 ,$,o 4 ), 
(o 4 ,6,o 6 ),e), and (o 7 , (o 1 ,$,o 4 ), (o 4 , $, o 7 ), e). 

Consider now a pair of delayed states (p, hi, . . . , h m ) and (q, ki, . . . , k n ), respec- 
tively of A and B. The two states can be composed only if the delays on the synchro- 
nized tapes are pairwise consistent, that is the sequence of input symbols of one is 
a prefix (proper or not) of the other's; otherwise, the intersection will not be able to 
consume the delays in the two components because they do not match. cons(hi, ki) de- 
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notes that the sequences hi, k% of delayed transitions are consistent. Routine new Mates 
(lines 19-26 in Figure [3]l takes two sets P, Q of delayed states and returns all consis- 
tent states obtained by composing them, new states also pushes onto the stack s all 
composite states that have not already been added to the composition. For convenience, 
new Mate also embeds the tape t of each new composite state within the state itself. (All 
tapes are considered: states corresponding to inconsistent choices will be dead ends). 

To add arbitrary prefixes to the delays of delayed states generated by new Mates , 
routine compose -transition (lines 28-33 in Figure [3) takes two sets P, Q of delayed 
states and an (m + n)-tuple of delays, and calls newMates on the modified states 
obtained by orderly adding the delays to the states in P and Q. It also adds all transitions 
reaching the newly generated states to C"s transition function 6, 

We are ready to describe the main routine intersect which builds C from A and 
B; see Figure [4] for the pseudo-code (some symmetric cases are omitted for brevity). 
intersect takes as arguments a bound on the maximum number of states and on the 
maximum delay max_delay (measured in number of transitions) accumulated in the 
states. After building the initial states of the compound (lines 4-5), intersect enters 
a loop until either no more states are generated (i.e., the stack s is empty) or it has 
reached the bound maxMates on the number of states. Each iteration of the loop begins 
by popping a state r from the top of the stack (line 7). r is normally added to the set 
Q of C's states, unless some of its sequences of delayed transitions are longer than 
the delay bound max_delay; in this case, the algorithm discards r and proceeds to the 
next iteration of the loop (line 8). If r is not discarded, intersect builds all composite 
states reachable from r. These depend on the tape t read when in r: if it is shared 
between A and B we have synchronized transitions (lines 10-30), otherwise we have 
an asynchronous transition of A (lines 32^-1) or one of B (line 43). 

Consider the case of a synchronized transition on some shared tape t G T A n T B . 
While both A and B must read the same symbol on the same tape, they may do so by 
consuming some transition that has been delayed. For example, if A has a non-empty 
delay h t ^ e for tape t, it will consume the first transition (u a , <J, u' a ) in ht\ since the 
transition is delayed, ^4's next state in the compound is not determined by the delayed 
transition (which only reads the input a at a delayed instant) but by ^4's current state 
q a in the compound (line 12 and line 17). The reached states are the composition of 
those reached within A and B, with the delays updated so as to remove the delayed 
transitions consumed. For example, lines 12-14 correspond to both A and B taking a 
delayed transition, whereas lines 17-20 correspond to A taking a delayed transition and 
B taking a "normal" transition determined by its transition function 8 B on symbol a. 
If neither A nor B have delayed transitions for tape i, they can only perform normal 
transitions according to their transitions functions, without consuming the delays stored 
in the state; this is shown in lines 26-30. 

The final portion of intersect (from line 32) handles the case of transitions on 
some non-shared tape t. In these cases, the component of the state r corresponding 
to the automaton that does not have tape t does not change at all, whereas the other 
component is updated as usual — either by taking a delayed transition (lines 33-35) or 
by following its transition function (lines 37-41). 
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The output of 3(A, B, d) coincides with the main routine intersect called on A and 
B with no bound on the number of states and maxAelay = d; the final states F in C 
coincide with those whose components are both final in A and B and have no delayed 
transitions. 

4.2 Correctness and Completeness 

In the proofs of this section, we make the simplifying assumption that all tapes are 
shared: T A =T B = T; handling non-shared tapes is straightforward. Let us show that 
3(A, B, d) is correct, that is it constructs an under-approximation of the intersection. 

Theorem 6 (Correctness). For every finite delay d E IN, 3 (A, B, d) returns a C such 
thatC{C) C C(A)nC(B). 

Proof. Let us show that x € C(C) implies x E C(A) n C(B). The basic idea is that, 
given an accepting run p = p pi ■ ■ ■ p n of C on x, one can construct two permutations 
ir A , tt b such that tt a (p) is an accepting run of A and ir B (p) is an accepting run of B 
on x. The permutation tt a is constructed as follows (constructing n B works in the same 
way): each element pk in p, for < k < n, corresponds to either a synchronous or a 
delayed transition of A; in the former case, ir A does not change the position of pk, oth- 
erwise it moves it to where the transition was delayed (i.e., consumed asynchronously). 
For accepting runs, it is always possible to construct such permutations, since accepting 
states in C have no delays, and hence delayed transitions must have been consumed 
somewhere before reaching the accepting state. □ 

When called with delay d = oo, 3(A, B, d) may not terminate. Its potentially non- 
terminating process defines, however, an (possibly infinite-state) automaton that is com- 
plete for the intersection. 

Theorem 7 (Completeness). 3(A, B, oo) defines a C such that C(C) = C(A)C\C(B). 

Proof. Obviously, every accepting run is finite, even if C is infinite-state. Then, the 
same proof of Theorem [6] shows that C(C) C C{A) n C(B). For the converse, let us 
show that x e C(A) n C{B) implies x E £{C). Given a run (a sequence of configu- 
rations) p = po ■ ■ ■ Pn, let [p] T be the sequence where each pi = (g,*, . . .) is replaced 
by the tape read r(qi). Since x g C(A) and x E £(-B), there exist accepting runs 
P A — PoPf ' ' ' Pn °f an d P B — Po P\ ■ ■ • Pn °f B on x - Consider now two per- 
mutations II A i n B such that: (1) [n A {p A )] T = [n B (p B )] T (the permutations give the 
same tape order); (2) for each tape t, consider the subsequence s(p A ,t) of [p A ] T that 
only keeps the element equal to t; then, n A restricted to s(p A 1 1) has no inversions (the 
permutations do not invert subsequences of the same tape); and (3) the same as (2) for 
p B . It is always possible to find such n A , 77 s , because p A , p B are runs on the same 
word x, and hence they read in the same order on the same tapes. Finally, one can see 
that FL A {p A ) and n B {p B ) define a common accepting run p of C on x, where each 
transition corresponds, e.g., to a "normal" transition of A when the permutation does 
not change the position of A's component in p, and to a delayed transition otherwise. 
Thus, n A ,n B behave, for matching runs, as inverses of the tt a 7 tt b in the proof of 
Theorem [6] □ 
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We can generalize the technique used in the proof of Theorems [6j|7] to show that 
3(A, B, d) is complete for some finite delay bounds whenever the intersection of A and 
B is automatic. The new intuition in the proof is that it is always sufficient to bound 
the delay by the (maximum) number N of states of A, B, and the intersection Ap\ B 
(which exists by hypothesis). Computations on longer words can always synchronize 
some of the delayed transitions before they exceed N, because the number of delayed 
transitions cannot be more than the finite memory of A, B, and the intersection — an 
argument similar to the pumping lemma applied to automatic languages. 

Theorem 8. If C(A) n C(B) is automatic, then there exists an integer N € IN such 
that J (A, B, N) returns a C such that C(C) = C(A) n C{B). 

4.3 Sufficient Conditions for Completeness 

Based on the notion of run permutation used in the previous paragraph, we can give sim- 
ple sufficient conditions for 3(A, B, d) to return complete intersections. If there exists a 
b e IN such that, for all accepting runs p A of A and p B of B on any x £ C{A) n C(B), 
the permutations n A , 77 s that reconcile the tape order in the intersection run p are such 
that the number of inversions of both n A and 77 s is at most b, then 3(A, B, b) returns 
a C such that C(C) = C(A) n C(B). In fact, intersect generates all states in the inter- 
section reachable with delays at most b on any tape, and the runs defined by n A (p A ) 
and n B (p B ) belong to this finite portion of the intersection (words that require more 
than b delayed transitions are rejected as soon as the delay would exceed b). Non-shared 
tapes can be ignored because input on non-shared tapes can always be performed asyn- 
chronously. This condition based on run permutations is hard to establish in the general 
case. There are, however, two special cases where it immediately holds. 

Corollary 9. 7. If C(A) n C(B) is finite with b the length of its longest words, then 

3(A, B,b+l) returns aC = An B. 
2. If, in each run, there is at most one shared tape, then J(A, B, 0) returns a C = 
A n B, because the run permutations are identities. 

Example 10. Consider the intersection of A\ = A (X,Y, Z) and A 2 = A=(Z,W) 
(the latter is A— in Figure [2] with tapes renamed to Z and W). Since A\ and Ai only 
share tape Z, they can be ready to read synchronously on Z whenever necessary without 
having to delay such transitions, since asynchronous transitions can be interleaved ad 
lib. Therefore, bounding the construction to have no delays gives an automaton that 
accepts precisely the intersection of Ai's and A 2 's languages. 

4.4 Approximating Complement 

Since deterministic automata are closed under complement, we can use a construction 
to approximate determinization to build approximate complement automata. A straight- 
forward under-approximation algorithm for determinization works as follows. Consider 
a generic nondeterministic automaton A, and let & be a bound on delays; A is the ap- 
proximate deterministic version of A which we construct. Whenever A has a nonde- 
terministic choice between going from state q to states qi or q% upon reading some a, 



10 



A goes to qi and continues the computation corresponding to that choice for up to b 
steps; while performing these b steps, A stores the symbols read in its finite memory. 
If the computation terminates with acceptance within b steps, then A accepts; other- 
wise, it continues with the computation that in to q2, using the stored finite input for b 
steps and then continuing as normal. It is clear that if such an automaton A accepts, A 
accepts as well; the converse is in general not true. Since A is deterministic, it can be 
complemented with the usual construction that switches accepting and non-accepting 
states. 

A completeness result similar to Theorem [8] is not possible for the complementa- 
tion construction that leverages approximate determinization, which we have outlined. 
While deterministic automata are closed under complement, the converse is not true: 
there exist automatic languages whose complement is also automatic that are strictly 
nondeterministic. For example, consider L = {(a x , a v ) \ x ^ y or x ^ 2y}. It is clear 
that L is automatic; it also requires nondeterminism to "guess" whether to check x ^ y 
(pair each a on the first tape with one a on the second tape) or x ^ 2y (pair each a on 
the first tape with two a's on the second tape). L's complement L is the singleton set 
with (e, e), and hence also automatic. 



5 Implementation and Experiments 

To demonstrate the constructions for multi-tape automata in practice, we implemented 



the algorithm of Section 4.1 in Python with the IGraph library to represent automata 
transition graphs; the prototype implementation is about 900 lines long, and includes 
other basic operations on asynchronous automata such as union, complement (for de- 
terministic), and emptiness test. Using this prototype, we constructed eight composite 
automata corresponding to language-theoretic examples and simple verification condi- 
tions expressible as the composition of automatic predicates, and tested them for empti- 
ness. Table[T]lists the results of the experiments; the examples themselves are described 
in the Appendix. All the experiments ran on a Ubuntu GNU/Linux box with Intel Quad 
Core2 CPU at 2.40 GHz, 4 GB of RAM, Python 2.7.3, and IGraph 0.6. Each experiment 
consists of three parts: computing the intersection until (possibly bounded) termination 
(INTERSECTION), simplifying the resulting automaton by removing all states where no 
accepting state is reachable (CLEAN-UP), and testing the emptiness on the simplified 
intersection (EMPTINESS). For each part of each experiment, Table [T] reports the time 
taken to complete it (i, in seconds); for the first two parts, it also shows the number of 
states |Q| and transitions \S\ of the generated automaton; the EMPTINESS column also 
shows the outcome (?: Y for empty, N for non-empty), which is, of course, correct. 



6 Related Work 

The study of multi-tape automata began with the classic work of Rabin and Scott [24]. 
In the 1960's, Rosenberg and others contributed to the characterization of these au- 
tomata (8). Recent research has targeted a few open issues, such as the properties of 
synchronous automata [17] and the language equivalence problem for deterministic 
multi-tape automata [13 1 - See [10] for a detailed survey of multi-tape automata. 
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Table 1. Checking languages and verification conditions with multi-tape automata. 



Khoussainov and Nerode 112111 introduced a framework for the presentation of first- 
order structures based on multi-tape automata; while ETl also defines asynchronous 
automata, all its results target synchronous automata — and so did most of the research 
in this line (e.g., 11 1 1251 1 8 19 |). To our knowledge, there exist only a few applications 
that use asynchronous multi-tape automata. Motivated by applications in computational 
linguistic, [5] discusses composition algorithms for weighted multi-tape automata. Our 
intersection algorithm (Section 4.1 1 shares with [5 | the idea of accumulating delays in 
states; on the other hand, [5 1 expresses intersection as the combination of simpler com- 
position operations, and targets weighted automata with bounded delays — a syntactic 
restriction that guarantees that reading heads are synchronized — suitable for the appli- 
cations of [5 1 but not for the program verification examples of Section[5] Another appli- 
cation is reasoning about databases of strings (typically representing DNA sequences), 
for which multi-tape transducers have been used ifTTI . 

Much recent research targeted the invention of decision procedures for expres- 
sive first-order fragments useful in reasoning about functional properties of programs. 
Interpreted theories supporting operations on words, such as some of the examples 
in the present papers, include theories of arrays B2I12I . strings 11221 . multi-sets ||23ll , 
lists |28|, and sequences [9|. All these contributions (with the exception of |12|) use 
logic-based techniques, but automata-theoretic techniques are ubiquitous in other areas 
of verification — most noticeably, model-checking |27 1. The present paper has suggested 
another domain where automata-theoretic techniques can be useful. 



7 Future Work 

Future work will extend the applicability of asynchronous multi-tape automata con- 
structions for deciding first-order theory fragments useful in verification. First, we will 
investigate syntactic conditions for completeness of intersection more general than 
those of Corollary [9] possibly based on graph-theoretic properties of the intersecting 
automata. Second, we will consider specializations of the intersection algorithm to per- 
form emptiness testing on-the-fiy. Third, we will consider other applications of the the- 
ory of multi-tape automata, such as synthesis (from first-order functional specifications) 
and inference of invariants for inductive reasoning. 
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A Multi-Tape Automata: Negative Results (Section [3) 



While Theorem [4] subsumes the undecidability of the automatic intersection problem, 
we can give independent proofs of two variants of the problem. The first one uses a 
reduction from Post's correspondence problem; the second one, given later, a reduction 
from the disjointness problem for multi-tape automata. 

Theorem 11. The automatic intersection problem is undecidable. 

Proof. We prove undecidability by reduction from Post's correspondence problem 
(PCP): given a finite set {(xi, yx), . . . , (x m , y m )} , of 2-words over S (with \S\ > 2) 
determine if there exists a sequence ix, . . . , iu of indices from 1, . . . , m (possibly 
with repetitions) such that x il x i2 ■ ■ ■ x ik = y^y^ ■ ■ ■ yi k - 

Given an instance of PCP, define X — {x\, . . . , x m } and Y = {yi, . . . , y m }. As- 
sume, without loss of generality, that the symbols 1, . . . , m and a marker # are not in 
S. Consider the two languages Lx, £2 defined as: 

Li = {{ix ■ ■■i a) x il ■■■x ia ,y il ---y ia #x) \ a > and x e X*} , 
L2 = {{h---3f},Vjx ■■■yj fi ,y#Xji ■■■Xj f3 ) I /3 > and y G Y*} , 

where the i^'s and j^'s are indices from 1, . . . , m. It is not difficult to see that Lx and 
1/2 are automatic languages. An automaton accepting L\ works as follows: for each 
element on the first tape, it checks that the corresponding Xi k and yi k respectively 
appear on the second and third tape; finally, it checks that only elements in X appear 
after the # on the third tape. An automaton for L2 can follow a similar logic. 
The intersection L = Li n L 2 consists of all words of the form 

((ix- ■ ■ik) n ,x ll ■■■x lk ,(y il ■■■y lk ) n #{x ll ■ ■ ■ x lk ) n ) 

for n > 0, such that i%,..-,ik is a solution of the PCP. If the PCP has no solution, 
then L is the singleton (e, e, e) which is clearly automatic; conversely, if the PCP has no 
solution, L contains infinitely many words but is not automatic, because its projection 
onto the third component has the form u n #v n , which is non-regular flOl . □ 



The proof of Theorem 1 1 uses 3-words, which implies that the result carries over to 
any number of tapes n > 3; is it possible to generalize to n > 2? It seems difficult to 
simultaneously express the PCP solution requirements and the non-regularity of one of 
the components. However, a slightly weaker (but practically as useful) undecidability 
result for n > 2 tapes follows easily from the undecidability [ 10] of the disjointness 
problem for automatic languages (that is, determining whether the intersection Lx n 
Z/2 of two automatic languages is empty). We can prove that the following problem 
P is undecidable: constructively determine whether the intersection Lx l~l L2 of two 
automatic languages L\,L2 is automatic; "constructively" refers to the fact that we 
require that, if L\ n £2 is automatic, then we can build an automaton Ax$ such that 
£(^1.2) = Lx (1 L 2 - Assume, to the contrary, that P is decidable. Then, we have a 
decision procedure for the disjointness problem: if L\ n £2 is automatic, construct and 
automaton Ax.i that accepts it, and test Ax.2 for emptiness; otherwise, L\ n L2 is not 
automatic, and hence certainly L\ n L 2 ^ 0. 
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B Under- Approximation of Intersection (Section 



4.1) 



1 async_next (D, q): SET [{q' , hi, ■ ■ ■ , ht)] 

2 q is always reachable from itself 

3 Result := {(q, e, e}} 

4 for every tape other than g's 

5 for eachti G {t? , . . . ,tf} \t d (q) do 

6 P :— all shortest paths p from q to some q such that: 

7 t d (q) = ti and no state q with r D (q) = ti appears in p before q 

8 each element in P is a sequence of transitions 

9 for each ei • • • e m e P do 

10 fti, . . . , /i t := e 

11 each transition is a triple ( source , input , target ) 

12 for each (qi,a, 92) 6 ei • ■ ■ e m do 

13 add the transition to the sequence corresponding 

14 to its source's tape 

15 h T D (qi) := h T o (qi) + (qi,a,q 2 ) 

16 q2 (e m ) is the target state of the last transition e m 

17 Result := Result U(g2(e m ), hi, . . . , h t ) 
18 

19 newj/afei - (P: SET[(p, hi, ... , ft m )L 2: SET[(q, ki, . . . , fc n }]): 5 1 

20 5 := 

21 for each {p,hi,..., h m ) e P, {q,ki, . . . ,k n ) € Q do 

22 if delays on synchronized tapes are consistent 

23 if Vi £ T A n T B : consQii, h) then 

24 for each t G T do S := S U {{p, q,t,hi,..., h m , ki,..., k n )} end 
25 Here Q denotes C's set of states, not the input argument 

26 for each r € S do if r $ Q then s.push (r) end 
27 

28 compose Jransition (P: SET[(p, hi, ... , ft m )L <2 : SET[(q, ki, , fc n )]> 

29 d: (/ii, . . . , /i m , fci, . . . , k n ), o-, r) 

30 := {(p, hih'i,...,h m h' m ) \ (p,h[, . . . , h' m ) 6 P} 

31 J B := {(q,kik'i,...,k n k' n ) I G Q} 

32 5 := newjstates (J a, Jb) 

33 for each r' e S do 5 := 8 U {r, a, r'} end 



Fig. 3. Routines a.svnc_)jexr, new states , compose Jransition . 
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1 intersect ( maxMates , maxjdelay) 



2 Q := ; s := 

3 Initially reachable states 

4 J a '■= \J ie qA asyncjiext (A, i) ; Jb := Uigq^ asyncjiext (B, i) 

5 5 := new Mates {J a, Jb) ; Qo := 5 

6 until s = or |Q| > maxstates loop 

7 r :={q a ,q b ,t,hi,...,h m .,ki,...,k„) = s.pop 

8 if Vcf G {/ii, . . . , fc n } : \d\ < max_delay then Q := Q U {r} else continue 

9 if t G T A n T B then event on shared tape 

10 if h t — (u a ,cr,u' a )ht and k t = (ub,<J,u' b )k t then 

11 delayed transition on both A and B 

12 P := asyncjiext (A, q a ) ; Q := asyncjiext (B, qb) 

13 d := (fti, . . . , h t , ■ ■ ■ , h m ,k\, . . . , k t , . . . , k n ) 

14 compose .transition (P, Q, d, o, r) 

15 elseif h t = (u a ,o, u' a )h t and kt = e then 

16 delayed transition on A, normal transition on B 

17 P := asyncjiext (A, q a ) 

18 Q :— { asyncjiext (B, q' b ) | (q b , a b , q' b ) G S B A o = o b A t b (q b ) = t} 

19 d := (hi,. ..,h t ,..., h m ,ki, . . . , k n ) 

20 compose .transition (P, Q, d, o, r) 

21 elseif h t = e and k t = (u b , a, u' b )k t then 

22 delayed transition on B, normal transition on A 

23 

24 elseif h t = k t = e then 

25 normal transition on both A and B 

26 for each a G E do 

27 P := { asyncjiext (A, q' a ) \ (q a , a a , q' a ) G S A A o a = o A r A (q a ) = t} 

28 Q ■={ asyncjiext (B, q' b ) \ (q b , o b , q' b ) G 8 B A o b = a A r B (q b ) = t} 

29 d:= (hi, ... ,h m ,ki, ....... ,k„) 

30 compose Jransition (P, Q, d, o, r) 

31 elseif t G T A \ T B then event on A' s non-shared tape 

32 if ht — (u a ,cr, u' a )h t then delayed transition on A, B stays 

33 P := asyncjiext (A, q a ) ; Q := {(q b , e, . . . , e)} 

34 d := (hi,. ..,h t ,..., h m ,ki, . . . ,k„) 

35 compose Jransition (P, Q, d, o, r) 

36 elseif h t — e then normal transition on A, B stays 

37 Q :={(q b ,e,...,e)} 

38 for each o G £ do 

39 P := { asyncjiext (A, q' a ) \ (q a ,a a ,q' a ) G S A A a a = cr A r A ((7 a ) = t} 

40 d := (hi, . . . ,h m , ki, . . . , k„) 

41 compose Jransition (P,Q,d,a,r) 

42 elseif t e T B \ T A then event on B's non-shared tape 

43 



Fig. 4. Routine intersect . 
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C Correctness and Completeness (Section 



4.2) 



Lemma 12 (Pumping lemma). Let L be an n-asynchronous language. Then there ex- 
ists an integer N > 1 such that every word (x\ , . . . , x n ) G L where \xi\ + • • • + \x n \ > 
N can be written as (pi^iTi, . . . ,p n g n r„), with qk ^ cfor at least one 1 < k < n, 
and (piq" l ri, . . . ,p n q™r n ) is in Lfor every m 6 IN. 

Proof. Let Al be an automaton accepting L; then, the number of states of Al is the 
pumping length N — M. Consider a word w = (xi, . . . , x n ) 6 L with length \x\ \ + 
■ ■ ■ + \x n \ > N.A computation accepting w visits iV+1 states of A^; by the pigeonhole 
principle, there exists a state s in the sequence which is visited twice. The sequence of 
symbols read in the transitions that go from the first to the second visit of s determines 
an n-word (qi, . . . , q n ) with at least one qk ^ e. Looping an arbitrary number of times 
over the sequence that starts and ends on s determines words that are all accepted by 
Al, and hence belong to L. 

Proof of TheoremU 

Proof (of Theorem^. Since L = C(A) n C(B) is automatic, there exists an n-tape 
automaton Al accepting it; let N be the maximum number of states among A^, A, and 
B; we use this as the bound on delays. For a generic n-word x, let show that C accepts x 
iff both A and B accept x. The left-to-right implication is subsumed by the correctness 
argument (Theorem[6]i: if C accepts x, then x € L. 

For the converse implication, we assume that both A and B accept x 6 L and show 
that C accepts it as well. Since x € L, there exists an accepting run p = po ■ ■ ■ p m of 
Al on x. We claim that p can be split into substrings Ri, R 2 , . . . , R r , where Rk = 
Pk,i ■ ■ ■ Pk,m k for all 1 < k < r, with the following properties. For all 1 < k < r: (1) 
Pi,i — Po? (2) Pr,m r = Pm\ (3) if fc > 1, the first element p^^ equals the last element 
Pfc-i.m fc _i of the previous substring; (4) Rk has length at most N; (5) there exist 
permutations 7r^, irj? such that 7r^(i?fc) induces a valid run of A and ir^(Rk) a valid 
run of B on x — as in the proof of Theorem|7] This means that every word accepted by 
both A and B can be read by consecutive sequences of steps, each of which accumulates 
no more than N delayed transitions. Since C accepts all words accepted by both A and 
B that require delays no greater than N, C accepts x as well. 

Let us now prove the claim. Assume to the contrary that p cannot be split as re- 
quired; since we can always take r = 1 and permute the whole p (as in the proof of 
Theorem|7|, the only condition that may fail is (4); thus, there exists a substring Rk that 
has more than N elements and such that each of its strict prefix substrings is not per- 
mutable to obtain valid runs on A, B, or both — in other words, it corresponds to reading 
at least one character that cannot be read by A, B, or both — but the whole Rk itself is. 
Without loss of generality, let us focus on A. The pigeonhole principle implies that Rk 
induces a run on A containing two configurations with the same state q (remember that 
N is at least as large as the number of states of A). Let us write such induced run R' on 
A as 

CTi CT 2 CT t — 1 CT t Vu— 1 (T u — 1 

qi — > q 2 — > ■■■ > q t — >■••• > q u — > ?u+l • • • > qu , 
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with q t = q u = q and M > N (each pair of consecutive states is connected by an 
arrow with the character read when transitioning). Now, we distinguish two cases. If 
the loop from q t to q u does not accumulate any delayed transitions, we can equivalently 
execute it synchronously at the beginning of R', thus splitting R' into two substrings. If 
each substring has length less than N, this branch of the proof is concluded; otherwise, 
the argument applies recursively. For the other case, assume that the loop from q t to q u 
accumulates some delayed transitions. Observe that, for p > 1, any longer string x p 
including o~\<j<i ■ ■ ■ at-i{o~t ■ ■ ■ &u-i) p Vu • • • o\m_i obtained by "pumping" the loop is 
also in C(A) (Lemma 12 1. Whatever input delay A had upon reaching q the first time, 
it must have a longer one upon reaching it the second time. But then it is not possible 
that A accepts both the original word x (for p — 1) and the pumped word x p : A has a 
longer delay in x p when reaching q, but the tails of x p and x are the same, and hence 
cannot contain both delayed words. This contradiction concludes the proof. □ 



D Asynchronous Automatic Theories 

The signature S& = CUFUi?ofa first-order theory is a set of constant C, func- 
tion F, and predicate R symbols. A quantifier-free formula of is built from constant, 
function, and predicate symbols of S@, as well as variables x,y,z, . . . and logical con- 
nectives V, A, -i. An interpretation^!® assigns constants, functions, and predicates 
over a domain D to each element of C, F, and R. It is customary that R include an 
equality symbol = with its natural interpretation. Then, assume without loss of general- 
ity that is relational, that is F = 0; to this end, introduce a (m + l)-ary predicate Rf 
for every m-ary function / such that Rf(xi, . . . , x m , y) holds iff f(xi, . . . , x m ) = y. 
A model M of a formula F of is an assignment of values to the variables in F that is 
consistent with Iq and makes the formula evaluate to true; write M \= F to denote that 
M is a model of F. The set of all models of a formula F under an interpretation 1q is 
denoted by [i^]/ e . F is satisfiable in the interpretation 1@ if [F]/ e ^ 0; it is valid if 
[F]/ e contains all variable assignments that are consistent with I@. 
An automatic presentation 12TI of a first-order theory consists of: 

1. A finite alphabet E; 

2. A surjective mapping v : S — > D, with S a regular subset of 2J* , that defines an 
encoding of elements of the domain D in words over E; 

3. A 2-tape automaton A eq whose language is the set of 2-words (x, y) € (E*) 2 such 
that u{x) = u(y); 

4. For each m-ary relation R m £ R, an m-tape automaton An m whose language 
is the set of m-words (x%, . . . , x m ) g (E*) m such that R m {y(xi), . . . , v(x m )) 
holds. 

A first-order theory with automatic presentation is called automatic theory. If the au- 
tomata of the presentation are deterministic (resp. synchronous, asynchronous) the the- 
ory is also called deterministic (resp. synchronous, asynchronous). 

2 For simplicity, we do not discuss how to axiomatize the semantics of interpreted items. 
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Example 13 (Automatic theory of concatenation). The theory of concatenation over 
{a, b}* is the first-order theory with constant e (the empty sequence), sequence equality 
=, and concatenation predicate R Q such that R Q (x, y, z) holds iff z is the concatenation 
of x and y. This theory is asynchronous automatic, with S = {a, b}, v the identity 
function, A eq as in Figure [TJ and Ar q as in Figure [2] 

Consider a quantifier-free formula F of an automatic theory 0. To decide if F is 
satisfiable we can proceed as follows. First, build an automaton Af that recognizes 
exactly the models of F. This is done by composing the elementary automata of the 
theory according to the propositional structure of F; namely, for sub-formulas G, H, 
negation ^G corresponds to complement Ag, disjunction G V H corresponds to union 
Ag U Ah, and conjunction G A H corresponds to intersection Ag H Ah- To verify if 
F is valid, test whether A-,f — Af is empty: C(A^f) is empty iff ^F is unsatisfiable 
iff F is valid. 

We can apply this procedure only when the automaton Af is effectively 
constructible, which is not always the case for asynchronous automatic theories because 
asynchronous automata lack some closure properties (see Section 2.2 1 — intersection, in 
particular. The following section, however, shows some non-trivial examples of formu- 
las whose automatic presentation falls under the criterion of Corollary [9] (and whose 
components to be complemented are deterministic), hence we can decide their validity 
by means of automata constructions. 



E Implementation and Experiments (Section [5]> 



Section [ET| shows two examples where the structure of the composed automata prevents 
an unbounded accumulation of delays when computing the intersection.. The examples 



in Section E.2 instead, only consider intersections with at most one shared tape, for 



which the approximate intersection with no delays is complete (Corollary|9]l. 



E.l Language-Theoretic Examples 

Examples Li 2 and L3 4 (taken from |20|) are 2-word languages whose intersection is 
finite. The structure of the automata recognizing the intersected components is such that 
the algorithm intersect can only unroll their loops finitely many times, hence termi- 
nates without a given bound. Li ; 2 is the intersection Ly^ = L\C\Li = (abcabc, abcabca) 
of L x = {(ab{cab) n c,a{bc) n abca) | n e 1} and L 2 = {((abc) n , 
a(bca) n ) I n € IN} L^^ is the intersection L3 4 = L3 D L4 — (ab,xyz) of L3 — 
{(ab n ,xy n z) \ n £ M} and L 4 = {(a"b,xy n z) \ n € IN} It is trivial to build the au- 
tomata for L\. L2, £3, L4, the experiments reported in Table [T] composed them and 
determined their finite intersection languages. 



E.2 Program Verification Examples 

Consider a routine tail that takes a nonnegative integer n and a sequence x and returns 
the sequence obtained by dropping the first n elements of x (where rest (x) returns x 
without its first element): 
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tail (n; W, x: SEQUENCE): 

if n = or x = e then Result := x else Result := tail («— 1, rest(x)) end 

If \y\ denotes the length of y, a (partial) postcondition for tail is: 

(n = A Result = x) V (n > A \x\ > n A |Result| = |a;| - n) . (1) 

The bulk of proving tail against this specification is showing that the postcondition 
established by the recursive call in the else branch (assumed by inductive hypothesis) 
implies the postcondition ([TJ. Discharging this verification condition is equivalent to 
proving that 3 simpler implications (vco, vci, VC2) are valid. For example: vci = \y\ > 
m A y = rest(x) => \x\ > n A rn = n — 1 states that if sequence rest(x) has 
length > n — 1, then the sequence x has length > n. 

We discharged the verification conditions vco,vci,vc2 using multi-tape automata 
constructions as follows, vcfc is valid if and only if vc^ = ^vc^. is unsatisfiable. Hence, 
we have (and see the Appendix for the other formulas): 

vci = ^vci = \y\ > m A y = rest(x) A (\x\ < nVm^n-l) . 

Assume that sequence elements are encoded with a binary alphabet {a, b} and ele- 
ments of the sequence are separated by a symbol this is without loss of generality as 
a binary alphabet can succinctly encode arbitrary sequence elements. 

Then, define multi-tape automata that implement the atomic predicates appearing 
in the formulas; in all cases, these are very simple and small deterministic automata. 
For example, define 3 automata Ai en (X, N), A res t(X, Y), Adec(M, N) for vci. In 
Ai en (X, N), tape X stores arbitrary sequences encoded as described above, and tape N 
encodes a nonnegative integer in unary form (as many a's as the integer); Ai en {X, N) 
accepts on X sequences whose length (i.e., number of #'s) is no smaller than the num- 
ber encoded on N. A re st {X, Y) accepts if the sequence on tape Y equals the sequence 
on tape X with the first element (until the first #) removed. Adec(M, N) inputs two 
nonnegative integers encoded in unary on its tapes M, N and accepts iff M has exactly 
one less a than N. 

Finally, compose an overall automaton according to the propositional structure of 
the formula vcfc (using intersection, union, and complement as described in Section|D| 
that is equivalent to it, and test if for emptiness. For example, Ay Cl is equivalent to vci: 

A V ~ C1 = {Aien (y, M) n A^t (X, Y)) f~l (a^JX, N) U A dec {M,N)) , (2) 

where Ai en (Y, M) denotes an instance of Ai en with tapes X, N renamed to Y, M. In 
all cases vco, vci, VC2, the overall automaton is effectively constructible from the basic 
automata and each intersection shares only one tape, hence constructing intersections 
with a zero bound on delays is complete (see Corollary [9j. For example, build 
with zero delays is complete, because each element of the di sjunction (p"| is treated 
separately, as every run of the disjunction automaton is either in Ai en (X, N) (that only 
shares X) or in Adec(M, N) (that only shares M). 

Table [T] shows the results of discharging the verification conditions through this 
process. The most complex case is VC2 which is the largest formula with 8 variables. 
Notice that the implementation is only a proof-of-concept, and significant optimizations 
are likely possible; they belong to future work. 
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Failing verification conditions. Automata-based validity checking can also detect in- 
valid verification conditions by showing concrete counter-examples (assignments of 
values to variables that make the condition false). Formulas ice! and ice 2 are invalid 
verification conditions obtained by dropping disjuncts or not complementing them in 
vci and VC2. Table [T] shows that the experiments correctly reported non-emptiness. 

Even in the cases where the complete intersection is infinite, automatic construc- 
tions may still be useful to search on-the-fly for accepting states, with the algorithm 
stopping as soon as it has established that the intersection is not empty. We did a small 
experiment in this line with formula cat , asserting an incorrect property of sequence 
concatenation: xoi/ = zA last(z) =uA last(y) = v u = v, which does not hold 
if y is the empty sequence. Building the intersection with zero delays is not guaranteed 
to be complete because antecedent and consequent share two variables u, v; however, 
it is sufficient to find a counter-example where y is the empty sequence (see Table[TJi. 



vco = \y\ > m A y — rest(x) => \x\ > n A m = n — 1 

vci = \y\ > m A y — rest(x) => |x| > n A m = n — 1 

cato = x o y — z A last(z) = u A last(y) = v =>■ u = v 

icei = \y\ > m A y = rest(x) |a;| < n 

ice2 = |Result| = u A u = \y\ — m A y = rest(x) |Result| 



VC2 = |Result| = u A u = \y\ — m A y = rest(x) 

=> |Result| = v Av = \x\ — n Am = n — 1 A |x| = n 
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